Presentation is loading. Please wait.

Presentation is loading. Please wait.

Shibboleth Update a.k.a. “shibble-ware”

Published byHollie Scott Modified over 9 years ago

Similar presentations

Presentation on theme: "Shibboleth Update a.k.a. “shibble-ware”"— Presentation transcript:

1 Shibboleth Update a.k.a. “shibble-ware”
Michael R Gettes, Duke University On behalf of the project team November 2004

2 What is Shibboleth? (Biblical)
A word which was made the criterion by which to distinguish the Ephraimites from the Gileadites. The Ephraimites, not being able to pronounce “sh”, called the word sibboleth. See --Judges xii. Hence, the criterion, test, or watchword of a party; a party cry or pet phrase. Webster's Revised Unabridged Dictionary (1913)

3 What is Shibboleth? (modern era)
An initiative to develop an architecture and policy framework supporting the sharing – between domains -- of secured web resources and services A project delivering an open source implementation of the architecture and framework Deliverables: Software for Identity Provider (Origins/campuses) Software for Service Providers (targets/vendors) Operational Federations (scalable trust)

4 So… What is Shibboleth? A Web Single-Signon System (SSO)?
An Access Control Mechanism for Attributes? A Standard Interface and Vocabulary for Attributes? A Standard for Adding Authn and Authz to Applications?

5 Attribute-based Authorization
Identity-based approach The identity of a prospective user is passed to the controlled resource and is used to determine (perhaps with requests for additional attributes about the user) whether to permit access. This approach requires the user to trust the target to protect privacy. Attribute-based approach Attributes are exchanged about a prospective user until the controlled resource has sufficient information to make a decision. This approach does not degrade privacy.

6 How Does it Work? Hmmmm…. It’s magic. :-)

7 Shibboleth AA Process Service Provider Identity Provider Web Site 4
OK, I redirect your request now to the Handle Service of your home org. 3 2 Please tell me where are you from? Shibboleth AA Process 1 ACS I don’t know you. Not even which home org you are from. I redirect your request to the WAYF WAYF HS 5 6 I don’t know you. Please authenticate Using WEBLOGIN Identity Provider Service Provider Web Site 7 User DB Credentials OK, I know you now. I redirect your request to the target, together with a handle Attributes 10 Manager Resource OK, based on the attributes, I grant access to the resource AR Handle 8 I don’t know the attributes of this user. Let’s ask the Attribute Authority Handle 9 AA Let’s pass over the attributes the user has allowed me to release Resource

8 From Shibboleth Arch doc
Identity Provider Service Provider

9 From Shibboleth Arch doc
Identity Provider Service Provider

10 WAYF a second! WAYF WAYF is just a simple navigation tool
Provides NO, ZERO, NADA, ZIP security It does NOT represent the federation Federation != WAYF WAYF != Federation Consideration for WAYF security is a future item WAYF is just a simple navigation tool

11 Demo!

12 Shibboleth Architecture
Resource WAYF Identity Provider Service Provider Web Site 1 ACS 3 2 HS 5 6 7 User DB Credentials 4 AR Handle 8 9 AA Attributes 10 Manager © SWITCH

13 Shibboleth Architecture -- Managing Trust
engine Attribute Server Service Provider Web Server Browser

14 Typical Attributes in the Higher Ed Community
Affiliation “active member of community” EPPN Identity Entitlement An agreed upon opaque URI urn:mace:vendor:contract1234 OrgUnit Department Economics Department EnrolledCourse Opaque course identifier urn:mace:osu.edu:Physics201

15 Target – Managing Attribute Acceptance
Rules that define who can assert what….. MIT can assert Chicago can assert Brown CANNOT assert Important for entitlement values

16 What are federations? Initially “Authenticate locally, act globally”
Associations of enterprises that come together to exchange information about their users and resources in order to enable collaborations and transactions Built on the premise of Initially “Authenticate locally, act globally” Now, “Enroll and authenticate and attribute locally, act federally.” Federation provides only modest operational support and consistency in how members communicate with each other Enterprises (and users) retain control over what attributes are released to a resource; the resources retain control (though they may delegate) over the authorization decision. Over time, this will all change…

17 InCommon federation First US Higher Ed Federation
Precursor federation, InQueue, a proving ground or testbed and will feed into InCommon after organizations are deemed interoperable.

18 Service Providers http://shibboleth.internet2.edu/
And see the link on the left labeled “Shib-enabled Service Providers”

19 So… What is Shibboleth? A Web Single-Signon System (SSO)?
An Access Control Mechanism for Attributes? A Standard Interface and Vocabulary for Attributes? A Standard for Adding Authn and Authz to Applications?

20 Sample InterFederation

21 Got SHIB?

22 Inter-Enterprise Authentication
Is Shibboleth authentication? If so, to what degree? How does Shibboleth compare to PKI? PKI basics, no crypto -- just process Greater understanding of what Shibboleth really brings to the landscape Knowing what we are doing and why

23 PKI Authentication Basics
Server User Certificate Private Key

24 Validation Server (application) performs validation steps of credential presented Verifies CA signing cert is valid Certificate Path Validation processing Verifies the cert presented is valid Certificate Revocation Tests OCSP, CRLs Applying the Private Key authenticates the end entity directly

25 Inter-Realm (server chooses trust)
CA CA Server User Certificate Private Key

26 Shibboleth Architecture
Resource WAYF Identity Provider Service Provider Web Site 1 ACS 3 2 HS 5 6 7 User DB Credentials 4 AR Handle 8 9 AA Attributes 10 Manager © SWITCH Authentication Attribute Release

27 What shib does… SAML assertion from HS to ACS
The Identity Provider is testifying about the Handle being passed The ACS performs validation of Id Provider Like PKI Path Validation (albeit simple) The Service Provider trusts that the End Entity has been authenticated per the rules of the trust fabric

28 What shib does… (2) Are Attributes the result of authentication?
Where does Level of Assurance fit in? Is LoA an attribute or part of authN? Are shib LoA and PKI LoA different?

29 Q & A -- How can we help you?

Download ppt "Shibboleth Update a.k.a. “shibble-ware”"

Similar presentations

Shibboleth and UKAMF-FEAR not as scary as it sounds! Rhys Smith Cardiff University.

Shibboleth and UKAMF-FEAR not as scary as it sounds! Rhys Smith Cardiff University.
Shibboleth at Cardiff University Lindsay Roberts Project Manager – Shibboleth Implementation Phase 2.

Shibboleth at Cardiff University Lindsay Roberts Project Manager – Shibboleth Implementation Phase 2.
Lecture 23 Internet Authentication Applications

Lecture 23 Internet Authentication Applications
Shibboleth: How It Relates to SAML Marlena Erdos Aug 27, 2001.

Shibboleth: How It Relates to SAML Marlena Erdos Aug 27, 2001.
2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.

2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
ICDL 2004, New Delhi1 Access Management for Digital Libraries in a well-connected World John Paschoud SECURe Project London School of Economics Library.

ICDL 2004, New Delhi1 Access Management for Digital Libraries in a well-connected World John Paschoud SECURe Project London School of Economics Library.
T-110.5140 Network Application Frameworks and XML Service Federation 30.04.2007 Sasu Tarkoma.

T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
Learning Management Systems Camp June 2004 Barry R Ribbeck UT HSC Houston Copyright, Barry Ribbeck, 2004. This work is the intellectual property of the.

Learning Management Systems Camp June 2004 Barry R Ribbeck UT HSC Houston Copyright, Barry Ribbeck, This work is the intellectual property of the.
The E-Authentication Initiative An Overview Peter Alterman, Ph.D. Assistant CIO for e-Authentication, NIH and Chair, Federal PKI Policy Authority The E-Authentication.

The E-Authentication Initiative An Overview Peter Alterman, Ph.D. Assistant CIO for e-Authentication, NIH and Chair, Federal PKI Policy Authority The E-Authentication.
InCommon Policy Conference April 2005. 2 Uses  In order to encourage and facilitate legal music programs, a number of universities have contracted with.

InCommon Policy Conference April Uses  In order to encourage and facilitate legal music programs, a number of universities have contracted with.
Administrative Information Systems Shibboleth: The Next Generation ISIS Technical Information Session for Developers Datta Mahabalagiri March 3. 2008.

Administrative Information Systems Shibboleth: The Next Generation ISIS Technical Information Session for Developers Datta Mahabalagiri March
Project Shibboleth Update, Demonstration and Discussion Michael R Gettes Duke University (on behalf of the entire shib team!!!) June.

Project Shibboleth Update, Demonstration and Discussion Michael R Gettes Duke University (on behalf of the entire shib team!!!) June.
Shibboleth-intro-dec051 Shibboleth A Technical Overview Tom Scavo NCSA.

Shibboleth-intro-dec051 Shibboleth A Technical Overview Tom Scavo NCSA.
The InCommon Federation The U.S. Access and Identity Management Federation www.incommon.org.

The InCommon Federation The U.S. Access and Identity Management Federation
3 Nov 2003 A. Vandenberg © Second NMI Integration Testbed Workshop on Experiences in Middleware Deployment, Anaheim, CA 1 Shibboleth Pilot Local Authentication.

3 Nov 2003 A. Vandenberg © Second NMI Integration Testbed Workshop on Experiences in Middleware Deployment, Anaheim, CA 1 Shibboleth Pilot Local Authentication.
External Identity and Authorization in GENI. Topics Federated identity and virtual organizations ABAC Creating and transporting attributes.

External Identity and Authorization in GENI. Topics Federated identity and virtual organizations ABAC Creating and transporting attributes.
Lecture 23 Internet Authentication Applications modified from slides of Lawrie Brown.

Lecture 23 Internet Authentication Applications modified from slides of Lawrie Brown.
TNC2004 Rhodes 1 Authentication and access control in Sympa mailing list manager Serge Aumont & Olivier Salaün May 2004.

TNC2004 Rhodes 1 Authentication and access control in Sympa mailing list manager Serge Aumont & Olivier Salaün May 2004.
7 October 2015 Shibboleth. Agenda  Shibboleth Background and Status  Why is Shibboleth Important (to Higher Ed)?  Current Pilots Course Management.

7 October 2015 Shibboleth. Agenda  Shibboleth Background and Status  Why is Shibboleth Important (to Higher Ed)?  Current Pilots Course Management.

Similar presentations

Ads by Google